Cyber threat deception method and system, and forwarding device
Abstract
This application discloses a cyber threat deception method and system, and a forwarding device. The forwarding device obtains a deception target set, where the deception target set includes a deception target, and the deception target includes an unused internet protocol (IP) address or an unopened port number on a used IP address. The forwarding device receives an IP packet from a host, and determines whether a destination party that the IP packet requests to access belongs to the deception target set. If the destination party that the IP packet requests to access belongs to the deception target set, the forwarding device sends the IP packet to a honeypot management server. The forwarding device receives a response packet, returned by the honeypot management server, of the corresponding IP packet. The forwarding device sends the response packet to the host.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1. A cyber threat deception method, comprising:
obtaining, by a forwarding device, a deception target set, wherein the deception target set comprises at least one deception target, and the at least one deception target comprises an unused internet protocol (IP) address or an unopened port number on a used IP address, wherein the obtaining the deception target set comprises:
receiving a third IP packet;
querying, by the forwarding device based on a destination IP address of the third IP packet, a routing table of the forwarding device for a next-hop IP address corresponding to the third IP packet; and
when no next-hop IP address corresponding to the third IP packet is in the routing table, adding, by the forwarding device to the deception target set, the destination IP address of the third IP packet as an unused IP address;
receiving, by the forwarding device, a first IP packet from a first host;
determining, by the forwarding device, whether a destination party that the first IP packet requests to access belongs to the deception target set;
when the destination party that the first IP packet requests to access belongs to the deception target set, sending, by the forwarding device, the first IP packet to a honeypot management server;
receiving, by the forwarding device, a second IP packet from the honeypot management server, wherein the second IP packet is a response packet of the first IP packet; and
sending, by the forwarding device, the second IP packet to the first host.
2. The method according to claim 1 , further comprising:
when no next-hop IP address corresponding to the third IP packet is in the routing table, sending, by the forwarding device, the third IP packet to the honeypot management server; and
receiving, by the forwarding device from the honeypot management server, a response packet of the third IP packet, and forwarding the response packet.
3. The method according to claim 1 , further comprising:
when a next-hop IP address corresponding to the third IP packet is in the routing table, querying, by the forwarding device, an Address Resolution Protocol (ARP) table for a media access control (MAC) address corresponding to the next-hop IP address;
when no MAC address corresponding to the next-hop IP address is in the ARP table, determining, by the forwarding device, an online status of the destination IP address of the third IP packet based on an IP address status table, wherein the IP address status table is used to indicate online statuses one-to-one corresponding to a plurality of IP addresses within a range of at least one subnet connected to the forwarding device, and the online status is online or offline; and
when no MAC address corresponding to the next-hop IP address is in the ARP table and the online status of the destination IP address of the third IP packet is offline, adding, by the forwarding device to the deception target set, the destination IP address of the third IP packet as an unused IP address.
4. The method according to claim 3 , further comprising:
when no MAC address corresponding to the next-hop IP address is in the ARP table and the online status of the destination IP address of the third IP packet is offline, sending the third IP packet to the honeypot management server; and
receiving, from the honeypot management server, a response packet of the third IP packet, and forwarding the response packet.
5. The method according to claim 3 , wherein the IP address status table is obtained by performing the following steps:
sending, by the forwarding device, an ARP request packet for each of the plurality of IP addresses within the range of the subnet connected to the forwarding device; and
when the forwarding device does not receive an ARP reply packet of a first IP address, adding the first IP address to the IP address status table, wherein the first IP address is an IP address of the plurality of IP addresses; and
setting a status of the first IP address to offline.
6. The method according to claim 5 , further comprising: receiving, by the forwarding device, an ARP reply packet of a second IP address, wherein the second IP address is an IP address of the plurality of IP addresses;
adding the second IP address to the IP address status table; and
setting a status of the second IP address to online.
7. The method according to claim 1 , wherein the obtaining the deception target set comprises:
receiving, by the forwarding device, a fourth IP packet, wherein the fourth IP packet is a connection reset (RST) packet;
determining whether the fourth IP packet satisfies a deception condition, wherein the deception condition comprises:
before the fourth IP packet is received, at least one connection establishment (SYN) packet corresponding to the fourth IP packet is received, wherein a destination IP address of the SYN packet is same as a source IP address of the fourth IP packet, and a destination port number of the SYN packet is same as a source port number of the fourth IP packet; and
when the fourth IP packet satisfies the deception condition, adding, by the forwarding device to the deception target set, the source port number of the fourth IP packet as an unopened port number on a used IP address, wherein the used IP address is the source IP address of the fourth IP packet.
8. The method according to claim 1 , wherein the obtaining the deception target set comprises:
receiving, by the forwarding device, a fourth IP packet, wherein the fourth IP packet is a RST packet;
determining whether the fourth IP packet satisfies a deception condition, wherein the deception condition comprises:
at least one SYN packet corresponding to the fourth IP packet is received previous to a predetermined period of time that is before the fourth IP packet is received, and one or more packets that is or that are received within the predetermined period of time and that has or that have a same source IP address and a same source port number as the fourth IP packet is or are all RST packets or internet control message protocol (ICMP) unreachable packets, wherein a destination IP address of the SYN packet corresponding to the fourth IP packet is same as a source IP address of the fourth IP packet, and a destination port number of the SYN packet corresponding to the fourth IP packet is same as a source port number of the fourth IP packet; and
when the fourth IP packet satisfies the deception condition, adding, by the forwarding device to the deception target set, the source port number of the fourth IP packet as an unopened port number on a used IP address, wherein the used IP address is the source IP address of the fourth IP packet.
9. The method according to claim 8 further comprising:
when the fourth IP packet satisfies the deception condition, sending the SYN packet corresponding to the fourth IP packet to the honeypot management server; and
receiving, from the honeypot management server, a response packet of the SYN packet, and forwarding the response packet of the SYN packet to the first host.
10. The method according to claim 1 , wherein the obtaining the deception target set comprises:
receiving, by the forwarding device, a fourth IP packet, wherein the fourth IP packet is an ICMP unreachable packet;
determining whether the fourth IP packet satisfies a deception condition, wherein the deception condition comprises:
before the fourth IP packet is received, at least one user datagram protocol (UDP) packet corresponding to the fourth IP packet is received, wherein a destination IP address of the UDP packet is same as a source IP address of the fourth IP packet, and a destination port number of the UDP packet is same as a source port number of the fourth IP packet; and
when the fourth IP packet satisfies the deception condition, adding, by the forwarding device to the deception target set, the source port number of the fourth IP packet as an unopened port number on a used IP address, wherein the used IP address is the source IP address of the fourth IP packet.
11. The method according to claim 1 , further comprising:
receiving, by the forwarding device, a fourth IP packet, wherein the fourth IP packet is a connection establishment acknowledgment SYN-ACK packet;
determining, by the forwarding device, whether the deception target set comprises a to-be-deleted deception target, wherein the to-be-deleted deception target is an unopened port number on a used IP address, the used IP address is a source IP address of the fourth IP packet, and the unopened port number is a source port number of the fourth IP packet; and
when the deception target set comprises the to-be-deleted deception target, deleting, by the forwarding device, the to-be-deleted deception target from the deception target set.
12. The method according to claim 1 , further comprising:
forwarding, by the forwarding device, a domain name system (DNS) domain name request;
intercepting and stopping forwarding, by the forwarding device, a first DNS response packet, wherein the first DNS response packet is a response packet of the DNS domain name request, and the first DNS response packet indicates that a domain name queried by the DNS domain name request does not exist;
generating, by the forwarding device, a second DNS response packet, wherein the second DNS response packet comprises an IP address corresponding to the domain name queried by the DNS domain name request, and the IP address corresponding to the domain name is an unused IP address in the deception target set; and
sending, by the forwarding device, the second DNS response packet.
13. A forwarding device, comprising:
a network interface; and
at least one processor coupled to the network interface, wherein
the at least one processor is configured to:
obtain a deception target set, wherein the deception target set comprises at least one deception target, and the at least one deception target comprises an unused internet protocol (IP) address or an unopened port number on a used IP address, wherein the network interface is configured to receive a third IP packet, and the at least one processor is configured to:
query, based on a destination IP address of the third IP packet, a routing table of the forwarding device for a next-hop IP address corresponding to the third IP packet; and
when no next-hop IP address corresponding to the third IP packet is in the routing table, add, to the deception target set, the destination IP address of the third IP packet as an unused IP address;
the network interface is configured to receive a first IP packet from a first host;
the at least one processor is further configured to determine whether a destination party that the first IP packet requests to access belongs to the deception target set; and
the network interface is configured to:
when the destination party that the first IP packet requests to access belongs to the deception target set, send the first IP packet to a honeypot management server;
receive a second IP packet from the honeypot management server, wherein the second IP packet is a response packet of the first IP packet; and
send the second IP packet to the first host.
14. The forwarding device according to claim 13 , wherein
the at least one processor is further configured to:
when a next-hop IP address corresponding to the third IP packet is in the routing table, query, an Address Resolution Protocol (ARP) table for a media access control (MAC) address corresponding to the next-hop IP address;
when no MAC address corresponding to the next-hop IP address is in the ARP table, determine an online status of the destination IP address of the third IP packet based on an IP address status table, wherein the IP address status table is used to indicate online statuses one-to-one corresponding to a plurality of IP addresses within a range of at least one subnet connected to the forwarding device, and the online status is online or offline; and
when no MAC address corresponding to the next-hop IP address is in the ARP table and the online status of the destination IP address of the third IP packet is offline, add, to the deception target set, the destination IP address of the third IP packet as an unused IP address.
15. The forwarding device according to claim 13 , wherein
the network interface is further configured to:
receive a fourth IP packet, wherein the fourth IP packet is a connection reset RST packet; and
the at least one processor is further configured to determine whether the fourth IP packet satisfies a deception condition, wherein the deception condition comprises:
before the fourth IP packet is received, at least one connection establishment (SYN) packet corresponding to the fourth IP packet is received, wherein a destination IP address of the SYN packet corresponding to the fourth IP packet is same as a source IP address of the fourth IP packet, and a destination port number of the SYN packet corresponding to the fourth IP packet is same as a source port number of the fourth IP packet; and,
when the fourth IP packet satisfies the deception condition, add, to the deception target set, the source port number of the fourth IP packet as an unopened port number on a used IP address, wherein the used IP address is the source IP address of the fourth IP packet.
16. The forwarding device according to claim 13 , wherein the network interface is further configured to:
receive a fourth IP packet, wherein the fourth IP packet is an internet control message protocol (ICMP) unreachable packet; and
the at least one processor is further configured to determine whether the fourth IP packet satisfies a deception condition, wherein the deception condition comprises:
before the fourth IP packet is received, at least one user datagram protocol (UDP) packet corresponding to the fourth IP packet is received, wherein a destination IP address of the UDP packet corresponding to the fourth IP packet is the same as a source IP address of the fourth IP packet, and a destination port number of the UDP packet corresponding to the fourth IP packet is same as a source port number of the fourth IP packet, and
wherein the at least one processor is configured to, when the fourth IP packet satisfies the deception condition, add, to the deception target set, the source port number of the fourth IP packet as an unopened port number on a used IP address, wherein the used IP address is the source IP address of the fourth IP packet.
17. The forwarding device according to claim 13 , wherein the network interface is further configured to:
forward a DNS domain name request;
intercept and stop forwarding a first DNS response packet, wherein the first DNS response packet is a response packet of the DNS domain name request, and the first DNS response packet indicates that a domain name queried by the DNS domain name request does not exist,
wherein the at least one processor is further configured to generate a second DNS response packet, wherein the second DNS response packet comprises an IP address corresponding to the domain name queried by the DNS domain name request, and the IP address corresponding to the domain name is an unused IP address in the deception target set, and
wherein the network interface is further configured to send the second DNS response packet.
18. A cyber threat deception system, comprising:
a honeypot management server; and
at least one forwarding device coupled to the honeypot management server,
wherein the at least one forwarding device is configured to
obtain a deception target set, wherein the deception target set comprises at least one deception target, and the at least one deception target comprises an unused internet protocol (IP) address or an unopened port number on a used IP address, wherein the at least one forwarding device is configured to:
receive a third IP packet;
query, based on a destination IP address of the third IP packet, a routing table of the at least one forwarding device for a next-hop IP address corresponding to the third IP packet; and
when no next-hop IP address corresponding to the third IP packet is in the routing table, add, to the deception target set, the destination IP address of the third IP packet as an unused IP address;
receive a first IP packet from a first host;
determine whether a destination party that the first IP packet requests to access belongs to the deception target set;
when the destination party that the first IP packet requests to access belongs to the deception target set, send the first IP packet to a honeypot management server;
receive a second IP packet returned by the honeypot management server, wherein the second IP packet is a response packet of the first IP packet; and
send the second IP packet to the first host.
19. The cyber threat deception system according to claim 18 , wherein the at least one forwarding device is configured to:
when no next-hop IP address corresponding to the third IP packet is in the routing table, send the third IP packet to the honeypot management server; and
receive, from the honeypot management server, a response packet of the third IP packet, and forwarding the response packet.
20. The cyber threat deception system according to claim 18 , wherein the at least one forwarding device is configured to:
when a next-hop IP address corresponding to the third IP packet is in the routing table, query an Address Resolution Protocol (ARP) table for a media access control (MAC) address corresponding to the next-hop IP address;
when no MAC address corresponding to the next-hop IP address is in the ARP table, determine an online status of the destination IP address of the third IP packet based on an IP address status table, wherein the IP address status table is used to indicate online statuses one-to-one corresponding to a plurality of IP addresses within a range of at least one subnet connected to the at least one forwarding device, and the online status is online or offline; and
when no MAC address corresponding to the next-hop IP address is in the ARP table and the online status of the destination IP address of the third IP packet is offline, add, to the deception target set, the destination IP address of the third IP packet as an unused IP address.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.